Tenable review

This review compares a self-service API security scanner to Tenable's approach to vulnerability management. The tool operates as a black-box scanner that accepts a target URL and returns a risk grade with prioritized findings. It focuses on read-only checks, using GET and HEAD methods and text-only POST for LLM probes, and completes most scans in under a minute.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), covering authentication bypass, JWT misconfigurations, Broken Object Level Authorization, Broken Function Level Authorization, property exposure, input validation, rate limiting, data exposure, encryption issues, SSRF, inventory mismanagement, and unsafe consumption. It also includes 18 LLM/AI security probes spanning quick, standard, and deep tiers, testing for system prompt extraction, instruction override, jailbreaks, data exfiltration, and token smuggling.

OpenAPI specifications in versions 2.0, 3.0, and 3.1 are parsed with recursive $ref resolution, and spec definitions are cross-referenced against runtime behavior to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. The scanner does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope, and it does not detect business logic flaws that require deep domain understanding.

Authenticated scans are available in paid tiers, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced via DNS TXT records or an HTTP well-known file to ensure only domain owners can scan with credentials. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The tool maintains a safety posture that includes read-only methods only, blocking destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is not sold or used for model training.

The product provides a web dashboard for scanning, viewing reports, tracking score trends, and downloading branded compliance PDFs. A CLI via an npm package supports command-line execution with JSON or text output, and a GitHub Action can gate CI/CD pipelines, failing builds when scores drop below a chosen threshold. An MCP server enables scanning from AI coding assistants, and a programmable API supports custom integrations.

Pro tier adds scheduled rescans at intervals ranging from every six hours to monthly, with diff detection to surface new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and webhooks are HMAC-SHA256 signed, with auto-disable after five consecutive failures. Compliance mappings are provided for PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the tool supports audit evidence collection and alignment with described controls but does not claim certification or guarantees of compliance.

The scanner does not fix, patch, block, or remediate findings; it reports and provides guidance. It does not perform blind SSRF testing that relies on out-of-band infrastructure, nor does it replace a human pentester for high-stakes audits. False positives and false negatives are possible, especially for complex business logic issues.

Scan policies can be tuned, but the tool does not support custom payload injection for intrusive tests. Organizations should treat scan results as one input to a broader security program and validate critical findings through targeted manual review.